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A New Cryptographic Signature Method for 
Domainkeys Identified Mail (DKIM) 


Abstract 


This document adds a new signing algorithm, Ed25519-SHA256, to 
"Domainkeys Identified Mail (DKIM) Signatures" (RFC 6376). DKIM 
verifiers are required to implement this algorithm. 


Status of This Memo 
This is an Internet Standards Track document. 


This document is a product of the Internet Engineering Task Force 


(IETF). It represents the consensus of the IETF community. It has 
received public review and has been approved for publication by the 
Internet Engineering Steering Group (IESG). Further information on 


Internet Standards is available in Section 2 of RFC 7841. 


Information about the current status of this document, any errata, 
and how to provide feedback on it may be obtained at 
https://www.rfc-editor.org/info/rfc8463. 
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document authors. All rights reserved. 


This document is subject to BCP 78 and the IETF Trust’s Legal 
Provisions Relating to IETF Documents 
(https://trustee.ietf.org/license-info) in effect on the date of 
publication of this document. Please review these documents 
carefully, as they describe your rights and restrictions with respect 
to this document. Code Components extracted from this document must 
include Simplified BSD License text as described in Section 4.e of 
the Trust Legal Provisions and are provided without warranty as 
described in the Simplified BSD License. 
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1. Introduction 


DKIM [RFC6376] signs email messages by creating hashes of selected 
message header fields and body and signing the header hash with a 
digital signature. Message recipients fetch the signature 
verification key from the DNS. The defining documents specify a 
single signing algorithm, RSA [RFC3447] (which has since been 
obsoleted by [RFC8017]). 


This document adds a new, stronger signing algorithm, Edwards-—Curve 
Digital Signature Algorithm, using the Curve25519 curve (Ed25519), 
which has much shorter keys than RSA for similar levels of security. 


2. Conventions Used in This Document 


The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 
"OPTIONAL" in this document are to be interpreted as described in 
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 
capitals, as shown here. 


Syntax descriptions use Augmented BNF (ABNF) [RFC5234]. The ABNF 
tokens sig-a-tag-k and key-k-tag-type are imported from [RFC6376]. 
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Ed25519-SHA256 Signing Algorithm 


The Ed25519-SHA256 signing algorithm computes a message hash as 
defined in Section 3 of [RFC6376] using SHA-256 [FIPS-180-4-2015] as 
the hash-alg. It signs the hash with the PureEdDSA variant Ed25519, 
as defined in RFC 8032, Section 5.1 [RFC8032]. Example keys and 
signatures in Appendix A are based on the test vectors in RFC 8032, 
Section 7.1 [RFC8032]. 


The DNS record for the verification public key has a "k=ed25519" tag 
to indicate that the key is an Ed25519 rather than an RSA key. 


This is an additional DKIM signature algorithm added to Section 3.3 
of [RFC6376] as envisioned in Section 3.3.4 of that document. 


Note: since Ed25519 public keys are 256 bits long, the base64-encoded 
key is only 44 octets, so DNS key record data will generally fit ina 
single 255-byte TXT string and work even with DNS provisioning 
software that doesn’t handle multistring TXT records. 

Signature and Key Syntax 
The syntax of DKIM signatures and DKIM keys are updated as follows. 


1. Signature Syntax 


The syntax of DKIM algorithm tags in Section 3.5 of [RFC6376] is 
updated by adding this rule to the existing rule for sig-a-tag-k: 


ABNF: 


sig-a-tag-k =/ "ed25519" 


-2. Key Syntax 


The syntax of DKIM key tags in Section 3.6.1 of [RFC6376] is updated 
by adding this rule to the existing rule for key-k-tag-type: 


ABNF: 

key-k-tag-type =/ "ed25519" 
The p= value in the key record is the Ed25519 public key encoded in 
base64. Since the key is 256 bits long, the base64 text is 44 octets 


long. See Appendix A.2 for a sample key record using the public key 
in [RFC8032], Section 7.1, Test 1. 
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Choice and Strength of Keys and Algorithms 


Section 3.3 of [RFC6376] describes DKIM’s hash and signature 
algorithms. It is updated as follows: 


Signers SHOULD implement and verifiers MUST implement the 
Ed25519-SHA256 algorithm. 


Transition Considerations 
For backward compatibility, signers can add multiple signatures that 
use old and new signing algorithms. Since there can only be a single 
key record in the DNS for each selector, the signatures have to use 
different selectors, although they can use the same d= and i= 


identifiers. 


The example message in Appendix A has two signatures with the same d= 
and i= identifiers but different a= algorithms and s= selectors. 


Security Considerations 
All of the security advice in [RFC6376] continues to apply, except 
that the security advice about Ed25519 in Section 8 of [RFC8032] 
supplants the advice about RSA threats. 

TANA Considerations 

IANA has updated a registry as follows. 


"DKIM Key Type" Registry 


The following value has been added to the "DKIM Key Type" registry: 


4+--------- 4+----------- 4+-------- + 
| TYPE | REFERENCE | STATUS | 
4+--------- 4+----------- 4+-------- + 
| ed25519 | [RFC8032] | active | 
4+--------- 4+----------- 4+-------- + 


Table 1: Value Added to the "DKIM Key Type" Registry 
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Appendix A. Example of a Signed Message 


This is a small message with both RSA-SHA256 and Ed25519-SHA256 DKIM 
signatures. The signatures are independent of each other, so either 
signature would be valid if the other were not present. 


A.1. Secret Keys 


Ed25519 secret key in base64. This is the secret key from [RFC8032], 
Section 7.1, Test 1, converted from hex to base6é4. 


nWGxne/ 9WmC 6hErO0kuwsxERJxW17MmkZcDusAxyuf2A= 


RSA secret key in PEM format. 


MIICXQIBAAKBgQDkH1O0QoBTzWRiGs5V6NpP 3idY 6Wk0 8a5qhdR6wy5bdOKb2 jLQi 
Y/JI1L6TYi0Ovx/byYzCNb3W91y3FutACDfzwO0/BC/e/8uBsCRtyz1Lxj+PL61HvqM 
KrM3rG4hstT5QjvHO9P zoxZyVYLZBfO2KeC3Ip3G+2kryOTIKT+1/K4w3QIDAQAB 
AoGAHOcxOhF ZDgzXWhDhnAJDw5s 4roOXN40hjixa8wW7Y3rhx3FJqmJSPuC8N9vOm 
6SVbaLAE4SG5mLMueHlLh4KXf fFEpuLEiNp9Ss304YfLIOpPbRGE7Tm5SxKjvvQoZZe 
zHorimOaChRL2it47iuWxzxSiRMv4ct+j70GiWdxXnxe4U0ECQQDzJB/O0U58W7RZy 
6enGVj2ZkKWE732CoWF ZWzilFicudrBFoy 63QwcowpoCazKtvZGMN1PWnC7x/608Gce 
uSe0ga2xAkEA8C7PipPm1/1f£TROVj10/dDmZp243044ZNyx jg+/OPNOOWCbXIGxy 
WvmZbXriOWoSALJT jExEgraHEgnXssuk7QJBALI5ICSYMu6hMx073gnfNayNgPxd 
WEV6Z7ULnKyV7HSVYFOhgYOHjeYe9gaMt iJYoo0zGN+L3AAtNP 9huqkW1zECOEla 
licIeVlole+qu6éMgqr0Q7Aa7falZ448ccbSFYEPD60FxiO19Y9se9i YHZKKfIcst 
o7DUw1/hz2Ck4N5J3rgUCQQCyKveNv jzkkd8HJYSOSwMOfP4jK16//5qDZ2UiDGn0e 
uEZxXBDAr518Z8VFbDR41in3W4Y3yCDgQ1L1IcETrS+zYcL 


A.2. Public Key DNS Records 


The public key p= value in the first record is the public key from 
[RFC8032], Section 7.1, Test 1, converted from hex to base6é4. 


brisbane._domainkey.football.example.com. IN TXT ( 
"v=DKIM1; k=ed25519; p=1l1qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwlaaPcHURo=") 


test._domainkey.football.example.com. IN TXT ( 
"V=DKIM1; k=rsa; p=MIGf£fMAN0GCSQGS Ib3DQEBAQUAA4GNADCBiQKBgQDkH1LOQoBTzWR" 
"iGsSV6NpP 3idY 6Wk0 8a5qhdRé6éwy 5bd0Kb2 jLOiY/J16TYi0QvVx/byYZCNb3W91ly3FutAC" 
"Df zwO/BC/e/8uBsCRtyz1Lxj+PL6lHvqgMKrM3rG4hstT50jvHO9PzoxZyVYLZBfO2EeC3" 
"Tp3G+2kryOTIKT+1/K4w3QIDAQAB") 
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A.3. Signed Message 


The text in each line of the message starts at the first position 
except for the continuation lines on the DKIM-Signature header 
fields, which start with a single space. A blank line follows the 
"Joe." line. 


DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; 
d=football.example.com; i=@football.example.com; 
q=dns/txt; s=brisbane; t=1528637909; h=from : to 
subject : date : message-id : from : subject : date; 
bh=2 jUSOHONht VGCOWNr 9Br IAPreKQjO6Sn7XIkfIVOzv8=; 
b=/gCrinpcQOol fFuHNOIbaq4pgh9ky I K3AQUdt 9YOdqQehSwhEIug4D11Bus 
Fa3bT3FY50sU7ZbnKELqteXdp101Dw== 

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 
d=football.example.com; i=@football.example.com; 
q=dns/txt; s=test; t=1528637909; h=from : to : subject 
date : message-id : from : subject : date; 
bh=2 jUSOHONht VGCOWNr 9Br IAPreKQjO6Sn7XIkfIVOzv8=; 
b=F 45d VWD fMbQDGHJF1XUNB2HKfbCeLRyhDXgFpEL8GwpsRe0lelixNTe3 
DhCV1UrSjV4BwcVcOF 6+FF3Z09RpoltFOeS 9mP YOTNGdaSGsgeefOsk2Jz 
dA+L10TeYt 9BGDFONZtKAN1WO//KgI qxP 70dEFE4LIFYNCUxXZQ4FADY+8= 

From: Joe SixPack <joe@football.example.com> 

To: Suzie Q <suzie@shopping.example.net> 

Subject: Is dinner ready? 

Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT) 

Message-ID: <20030712040037.46341.5F8J@football.example.com> 


Hi. 
We lost the game. Are you hungry yet? 
Joe. 
Author’s Address 
John Levine 
Taughannock Networks 
PO Box 727 
Trumansburg, NY 14886 
United States of America 


Phone: +883.5100.01196712 
Email: standards@taugh.com 
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